Baby-Step Giant-Step Algorithms for the Symmetric Group
|
|
- Jeremy Booth
- 6 years ago
- Views:
Transcription
1 Baby-Step Giant-Step Algorithms for the Symmetric Group Eric Bach Bryce Sandlund University of Wisconsin - Madison 1210 W Dayton St. Madison, WI ABSTRACT We study discrete logarithms in the setting of group actions. Suppose that G is a group that acts on a set S. When r, s S, a solution g G to r g = s can be thought of as a kind of logarithm. In this paper, we study the case where G = S n, and develop analogs to the Shanks babystep / giant-step procedure for ordinary discrete logarithms. Specifically, we compute two sets A, B S n such that every σ S n can be written as a product ab of elements a A and b B. Our deterministic procedure is close to optimal, in the sense that A and B can be computed efficiently and A and B are not too far from n! in size. We also analyze randomized collision algorithms for the same problem. Keywords Symmetric group, group actions, discrete logarithm, collision algorithm, computational group theory. 1. INTRODUCTION Collision algorithms have been used to obtain polynomial (typically square root) speedups since the advent of computer science. Indeed, there are even collision algorithms in the world of analog measurement [9]. Most collision algorithms exploit time-space tradeoffs, arriving at a quicker algorithm by storing part of the search space in memory and utilizing an efficient lookup scheme. One of the most famous of these collision-style methods is Shanks s baby-step giantstep procedure for the discrete logarithm problem [17]. Traditionally, the discrete logarithm problem is the problem of finding an integer k such that b k = g, where b and g are elements of a finite cyclic group of order n and b is a generator (has order n). Then there is exactly one k {1,..., n} such that b k = g. Shanks s baby-step giantstep algorithm then writes k = im + j with m = n and 0 i, j m and looks for a collision in the equation: g(b m ) i = b j. Research supported by NSF: CCF Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from permissions@acm.org. ISSAC 16, July 19 22, 2016, Waterloo, ON, Canada c 2016 ACM. ISBN /16/07... $15.00 DOI: By precomputing values of b j (or b mi ) and storing them in a hash table, a collision can be found in O( n) time and O( n) space, recovering the solution k. Various extensions of the baby-step giant-step algorithm have been developed, mostly focusing on discrete logarithm problems in groups that are important to cryptography. For the classic problem, Pollard [14] contributed two elegant methods that also exploit collision, but use very little space. (They have yet to be rigorously analyzed, in their original form.) For more information about these algorithms, and more efficient methods that apply to specific groups of an arithmetic nature, we refer to surveys by McCurley [11] and Teske [18]. Ideas similar to the baby-step giant-step algorithm have been used on 0-1 integer programming problems. (This seems to be folklore.) Suppose we want to solve Ax = b, where x is a 0-1 column vector. If we let x 1 and x 2 be halflength column vectors, and split A down the central column into A 1 and A 2, we can use collision to solve A 1x 1 = b A 2x 2. (Here, we exploit not a group structure, but rather, the associative law for matrix-vector multiplication.) For a recent application, see [5]. In this paper, we focus on a different discrete log generalization that can be stated as follows. Definition 1.1. Suppose that G is a finite group that acts on a set S. Denote by r g the action of g G on r S. Then, given elements r, s S, the group action discrete logarithm problem is the problem of finding a g such that r g = s. The first step beyond brute force search for this problem is to design an analog to the Shanks method. We will find appropriate splitting sets A, B G so that for any s in the orbit r G = {r g : g G}, we have r ab = s for some a A and b B. A match in the two sets {r a : a A} and {s b 1 : b B} recovers the solution g = ab. In this work, we treat two situations. The first is one of maximum generality: we know almost nothing about the structure of G, and can only work with it by applying it to elements of S. The second is maximally specific: G is the symmetric group S n. In neither case do we assume any particular knowledge about the orbit of r or s. For general groups (the first case), we analyze randomized methods that achieve square root speedups when compared to the naive approach of exhaustive search. For the important second case, we develop deterministic algorithms that
2 utilize the structure of S n. These algorithms have close to square root complexity. To motivate our model and concentration on S n, we give several applications that fit into our framework. 2. APPLICATIONS We first show how group actions lead to an unconventional algorithm for the graph isomorphism problem (GI). Let S be the set of adjacency matrices for graphs on n vertices. The symmetric group S n acts on S, via M g = P gmpg 1. (P g is just the permutation matrix for g.) In this case, the group action discrete logarithm problem is exactly graph isomorphism: given adjacency matrices M and N, find g S n to make M g = N. Using our results, we arrive at a deterministic graph isomorphism procedure with run time about n!. Although there are much faster algorithms than this, they are either conceptually involved [1, 2], cannot guarantee efficient performance in all cases [3], or both [12]. The babystep giant-step algorithm, on the other hand, gives an immediate proof that exhaustive search through permutations is not the best method for graph isomorphism. There are a variety of other GI-related problems that also fit in the discrete log symmetric group action framework. In particular, hypergraph isomorphism and equivalence of permutation groups via conjugation can both be formulated as symmetric group actions. Furthermore, the latter problem has no known moderately exponential (exp(n 1 c ) for c > 0) algorithm [2]. We further note that in cryptography, the solution of iterated block ciphers [10] is closely related to a group-action discrete logarithm problem in a symmetric group. Our approach may also be useful in computational Galois theory, specifically, in computing the splitting field of a polynomial [13]. Because our approach is orbit-oblivious, our framework is very general. In some problems, however, algorithms aware of orbit restrictions may benefit significantly by reducing the number of g G to consider. This is true, for example, in the graph isomorphism problem. An orbit-sensitive GI algorithm can utilize the fact that a vertex can only be mapped to another vertex of the same degree, whereas our approach will test every permutation. On the other hand, there seem to be problems where one cannot exploit such orbit restrictions. We will now develop such an example. Our problem will rely on the existence of fully homomorphic encryption schemes. Such schemes were only recently discovered, and utilize the presumed difficulty of the learning with errors problem [6]. We can explain the basic idea of homomorphic encryption as follows. Denote by E(x) the result of encrypting bitstring x into ciphertext. Then in a fully homomorphic encryption scheme, we may convert any function f to a function f on ciphertext, such that E(f(x)) = f (E(x)). This leads to the following problem: Definition 2.1. Let G be a finite group that acts on a set S. Then G acts on {E(s) : s S} via the induced action E(r) g = E(r g ). Then, given E(r) and E(s), the obfuscated group action discrete logarithm problem is the problem of finding a g G such that E(r) g = E(s). The obfuscated group action discrete log problem is a special case of the general version. In this problem, we are not given the decryption keys, r, s, or S. We may only work with the ciphertexts of S and the action of G on these ciphertexts. Thus, we must utilize orbit-oblivious approaches. Furthermore, observe that this problem can be applied to any group G. In particular, this suggests there are actions over the symmetric group such that there is no easily discernible relation between the action of S n on {1, 2,..., n} and the set S. It is worth noting that in the above setting, no backtrack search or other heuristical approaches will yield an efficient solution in practice. In the case where backtracking can yield an efficient solution, however, the worst case running time of such backtrack approaches is typically exponential. Additionally, their performance can vary from instance to instance and is often hard to predict. Although there are Monte Carlo procedures that can be used to estimate the runtime on a particular instance, such methods exhibit large variance. It is therefore of interest to develop techniques with provable running times. For the algorithm designer, realization of such a baby-step giant-step algorithm for group actions reduces to efficient construction of the sets A and B. In the remainder of this paper, we discuss various methods for this. 3. A RANDOMIZED APPROACH In this section our approach is general enough to work over any group G where random elements can be generated efficiently. In this setting, an obvious idea is to simply pick k random elements of G for the set A and k random elements of G for the set B. Then the probability a particular g G is present in AB will depend on the value of k. For ease of notation, let m = G. We have: Proposition 3.1. Suppose we pick k random elements of G without replacement for the set A and likewise for B. Then the probability a particular g G is present in AB satisfies: Pr [g AB] 1 e k2 /m. Proof. Observe that g AB precisely when each b B avoids the set {a 1 g : a A}. The probability of this event is ( 1 k ) ( 1 k ) ( 1 m m 1 ) k, m k + 1 which is at most (1 k/m) k. Rewriting the exponent and utilizing that (1 x/n) n e x gives us (( Pr [g / AB] 1 k ) m ) k/m e k2 /m, m from which the claim follows. By setting k = Θ( m), we can make the probability that g is present in AB constant. Our analysis, however, assumed sampling without replacement. If we simply sample with replacement and redraw when a duplicate is found, it is not hard to see that as long as we are sampling o(m) elements, the number of extra draws is O(1) in expectation. Note that with this approach, there will always be a nonzero probability that some group elements are missing in AB, which will lead to one-sided error in our algorithm.
3 Namely, if no g is found where r g = s, the randomized procedure only gives probabilistic evidence that no g exists. Furthermore, checking for missing elements of G in AB takes O( G ) time. While this would only need to be done once and work for any set G acts on, it is prohibitively expensive. This leads us to ask for a deterministic algorithm to construct the sets A and B. This question inherently asks about structure of the group G that can be exploited, similarly to the original Shanks method for the traditional discrete logarithm. Therefore, we will focus on the special case when G = S n. 4. BACKGROUND ON GROUPS Our deterministic algorithm will rely on some elementary group theory. For this, we state a few necessary results and definitions. All groups in this paper will be finite. If K is a subgroup of G, we write K G, and K < G if the containment is proper. We do not assume that K is normal in G. When K G, its left cosets are the G / K sets gk with g G. Right cosets are defined similarly. Note that the set of left (or right) cosets of K in G forms a partition of G. Thus if we have a subgroup K of G, we can take B = K and A to be a set of elements of G such that each left coset of K in G is represented in A. Then every element of G will be present in AB. In group theory, a minimal perfect set A of this kind is called a transversal. Definition 4.1 (Transversal). A left (right) transversal T of a subgroup K of G is a set of elements of G such that each left (right) coset of K in G has exactly one representative in T. Thus, T is a minimal set of coset representatives of K in G. To make this definition clear, we give the following: Example 4.2. Let G = Z n 2 and let K be the unique subgroup of G with n elements. Then G : K = n. If G = {0,..., n 2 1}, K = {0, n, 2n,..., (n 1)n}. One transversal of K in G is T = {0, 1, 2,..., n 1}. For this example, K and T are exactly the sets of giant steps and baby steps that the Shanks algorithm would use. However, transversals are not unique; for example, we could have taken T to be any complete set of representatives modulo n. Combinatorially, a subgroup B and its left transversal A form a perfect splitting set for G, in the sense that every g G is uniquely of the form ab, for a A and b B. Perfect splitting sets need not be subgroups, as we could always replace A by Ax and B by x 1 B, choosing x G at will. Ideally, these splitting sets have cardinality exactly G. However, n! is never a square for n > 1, so such perfect splitting sets cannot exist for G = S n. Therefore, we will either have to tolerate duplicated products (as we did in the last section), or look for set sizes close to, but not exactly matching, n!. We now give some concepts that provide a data structure for working with permutation groups: Definition 4.3 (Base). Let G act on Ω. A base B for G is an ordered subset of Ω (i.e. a list) with the following property: the only element of G that stabilizes everything in B is the identity. For our purposes G = S n, which stabilizes no element of Ω = {1,..., n}. So, we will use B := [1, 2,..., n]; that is, B = Ω with the natural ordering of the integers. We could choose to not include any single integer from B, since the action of a permutation on the missing integer can be inferred via its action on the other elements; however, it will be easier to describe the transversal algorithm with a more complete base, and no loss of efficiency will be incurred. A base provides a convenient form to represent elements of G: Definition 4.4 (Base Image). If g G and B = [β 1, β 2,..., β k ] is a base for G, then B g := [β g 1,..., βg k ] is called the base image of g (relative to B). Recall that β g i means the result of applying the group element g to the object β i Ω. With the base B := [1, 2,..., n], the base image gives the typical vector notation of a permutation. The base image B g uniquely determines the element g G. 5. BIDIRECTIONAL COLLISIONS In recent work [15], David Rosenbaum described a general framework for applying collision algorithms to isomorphism problems. Potential isomorphisms are represented by paths in a tree. Given objects X and Y, we choose one set of paths that exhaust all levels halfway down (the remainder can be chosen arbitrarily), and apply these to X. Similarly, for Y, we choose one path that goes halfway down, extend it in all possible ways, and then apply each of these to Y. If we denote the set of transformations applied to X as C and to Y as D, then, borrowing the group action notation, this framework finds some c C and d D so that X c = Y d whenever there exists some g such that X g = Y. Thus by taking A = C and B = D 1, where by D 1 we denote the set of inverses of all elements of D, this approach produces sets A and B with AB = G. To split the search space for permutations, we choose a k with 1 k n. The set C will consist of (n) k (n pick k) permutations. Each permutation sends 1, 2,..., k to all possible k-tuples in {1, 2,..., n}. We can choose arbitrarily where to send k + 1,..., n. To make D, choose an image tuple for the first k elements arbitrarily (not moving them at all will do) and then extend with all (n k)! possible suffixes. Since C = (n) k and D = (n k)!, the counting functions for these two sets are not interchangable. However, we can try to balance the values of (n) k and (n k)!. Since (n) k (n k)! = n!, finding a k such that (n) k (n k)! will, at least approximately, minimize (n) k + (n k)!, the cost of the collision algorithm. We will show that the right value of k is roughly, but not exactly, n/2. Surprisingly, the performance of the algorithm is very sensitive to k. Proposition 5.1. The method presented above finds A, B S n such that AB = S n and max( A, B ) = O(n 1/2 n!).
4 Proof. Let x be the positive real solution to x! = n! (we use x! as an abbreviation for Γ(x + 1)). Stirling s approximation says that n! ( n ) n 2πn. e Use this on both variables in the defining relation for x, and then take logarithms of both sides. We can then apply bootstrapping [7] and show that x = n 2 ( 1 + O ( 1 log n )). Since x! increases for x 1, there is an integer m such that (m 1)! x! = n! m!. Choose k so that n k (either m or m 1) is the closest integer to x. This will cause one of our sets to be larger than its ideal value n!, and we must estimate this disparity. Let n k = x + α, with α 1/2. Recall that (x + α)! x!x α as x, in the sense that the limiting ratio is 1. Using this, and our asymptotic expression for x, we have (n k)! = (x + α)! x!x α ( n ) α n!. 2 Similarly, (n) k = The bound on α gives n! (n k)! n! = n!(n/2) α. n!(n/2) α max( A, B ) = max((n) k, (n k)!) = O ( n 1/2 ) n!. Probably, the factor n 1/2 is best possible. Examination of numerical data shows that α varies irregularly within the interval ( 1/2, 1/2), and we see no reason why this behavior should not continue. In particular, there is likely to be an infinite sequence of n s on which α s limiting value is 1/2. It is also interesting to compare our procedure to one that splits the permutation vectors exactly in half, as Rosenbaum initially recommends [15, p. 193]. This splitting amounts to taking k = n/2, and as a consequence of Stirling s formula, (n) n/2 = Θ(n 1/4 2 n/2 n!) when n is even. Therefore, the overhead for exact splitting is exponential in n. It is not hard to see this intuitively, by considering a decision tree for generating permutations. Each of the large branching factors n i, 0 i < n/2, is roughly twice as large as its small counterpart n/2 i. By choosing the best splitting fraction for each n, we have reduced this overhead to a small power of n. Finally, we note that this approach indeed employs a subgroup and a corresponding transversal of that subgroup. The set D fixes the first k elements and permutes the remaining n k elements amongst themselves in all possible ways. So D is simply S n k. Because of this, D 1 = D. Then, since CD 1 = CD = S n, C is a left transversal of S n k in S n. 6. A BETTER SUBGROUP We can improve the results of the last section by using a different subgroup and its corresponding transversal. Intuitively, we can expect to get better results for the following reason: in bidirectional collision detection, we start with a fixed-length code for group elements and seek a good halfway point in the code words. This approach provides only n subgroups to choose from. To improve it, we can select our subgroup from a larger set. A better choice of subgroup is the centralizer of a product of n/2 disjoint two-cycles. Recall that the centralizer of an element h G is the set {g G gh = hg}, and is always a subgroup [4]. We have: Lemma 6.1. The centralizer of a product of n/2 disjoint two-cycles, denoted H, is a subgroup of S n. We have if n is even and H = Θ(n 1/4 n!) H = Θ(n 1/4 n!) if n is odd. When n is odd, H is the same subgroup as it would be for n 1. When n is even, write a = (1 2)(3 4)... (n 1 n), and so H = C Sn (a) = {g S n ga = ag}. Proof. When n is odd, no permutation σ that moves the integer n can commute with a, because aσ and σa will always move n in different directions. Therefore, when n is odd, the group is the same as for n 1. Now, the centralizer of a in S n, C Sn (a), has order: C Sn (a) = S n Size of conjugacy class of a. See [4] for a proof. The size of the conjugacy class of a is determined by its cycle type [4]. The number of possible permutations with n/2 disjoint two-cycles is given by: Size of conjugacy class of a = n! 2 n/2 n/2!. This can be explained as follows. First, take all possible permutations on n items. Then, since the ordering of pairs within two-cycles does not matter, we can divide by 2 n/2. Furthermore, how the two-cycles are arranged does not matter, so we can further divide by n/2!. Then: C Sn (a) = 2 n/2 n/2!. We can transform this into the desired result. We will show the algebra for the case that n is even, and then make a small change for when n is odd. When n is even we have (by Stirling s approximation): 2 n/2 (n/2)! ( n ) n/2 πn, e ( 4 n ) n/2 n! 2πn, e so C Sn (a) = 2 n/2 (n/2)! 4 π 2 n1/4 n!. When n is odd, a similar argument yields C Sn (a) = 2 (n 1)/2 ((n 1)/2)! 4 π 2 n 1/4 n!.
5 We therefore see when n is even, H is Θ(n 1/4 n!), and when n is odd, H is Θ(n 1/4 n!). The subgroup H gives an improvement on bidirectional collision detection by a factor of Θ(n 1/4 ). However, we also must have that H is efficiently enumerable. By Lemma 6.1, when n is odd, the group is the same as for n 1. Thus we need only concern ourselves with the even case: Lemma 6.2. Let n be even. The centralizer of a = (1 2)(3 4)... (n 1 n) in S n, denoted H, is generated by: H = (1 2), (1 3)(2 4), ( n 1)( n). Proof. Any products of the disjoint two-cycles of a will commute with a. The two-cycle (1 2) is present in the generating set, and by conjugating (1 2) by powers of ( n 1)( n), we may obtain the two-cycles (3 4), (5 6),..., (n 1 n). Furthermore, we may permute any of the disjoint twocycles themselves by composing them with an appropriate transformation permutation. We give the following homomorphism ϕ : S n/2 S n: For each of the disjoint cycles of σ S n/2, map (τ 1 τ 2... τ k ) to (2τ 1 1 2τ τ k 1)(2τ 1 2τ τ k ). This map is clearly a homomorphism because all we have done is replaced each cycle with two cycles, one of which maps τ i to 2τ i 1 and the other τ i to 2τ i. Since the two cycles will never share the same integers (one contains odd integers, the other even), we have effectively only relabeled σ, and thus the group operations are preserved under ϕ. Furthermore, ϕ represents the necessary mapping to permute the two-cycles of a, since it is swapping both integers within a cycle with another cycle. Then, since S n/2 = (1 2), ( n/2), the transformations that permute the two-cycles of a are generated by which equals ϕ((1 2)), ϕ(( n/2)), (1 3)(2 4), ( n 1)( n). Note that any of the products of the disjoint two-cycles of a can be composed with any of the permutations of the disjoint two-cycles of a to form a new element in the centralizer. Thus the transformations described amount to 2 n/2 (n/2)! unique elements. This is the size of the centralizer, so we know we have accounted for every element. With generators, we can run a closure algorithm to produce all the elements of H. This would achieve an O(n H ) time enumeration, but is slightly wasteful, because for each element of H, we must compose it with all generators before we can ensure all elements have been constructed. We can avoid this factor of 3 overhead by explicitly generating the elements of H themselves. Note that the proof of Lemma 6.2 shows that H is isomorphic to the wreath product C 2 S n/2, and gives an explicit way to construct H given this property. We utilize this in the following algorithm: Algorithm 1 Enumeration of the elements of H 1. Generate all possible products of the disjoint twocycles of a = (1 2)(3 4)... (n 1 n); call the set X. 2. Generate all elements of S n/2 ; call the set Y. 3. Apply the homomorphism ϕ described in the proof of Lemma 6.2 to each element of Y, resulting in a new set, Y. 4. Compose every element of X with every element of Y and return this set. Before analyzing the algorithm, we make a few statements regarding our model of computation. For the purposes of this paper, we will charge O(1) space for each integer and O(1) time for accessing elements of an array. This hides logarithmic factors in runtime and space bounds. We will additionally charge space for output, though a note on this will be made after the proof of Lemma 7.4. In this model of computation, a permutation can be represented in vector (base image) form using space O(n) and two permutations can be composed in O(n) time. Further note that we may choose to represent permutations as lists of arrays representing cycle notation, and in section 7, we will represent them as partial base images in a linked list or array. All representations can be converted to and from each other in O(n) time. We then have: Lemma 6.3. Algorithm 1 correctly enumerates the elements of H in time O(n H ) and space O(n H ). Proof. For correctness, Lemma 6.2 shows that the product set XY = H. For runtime, observe that a backtracking procedure can enumerate through all binary strings on n/2 bits in time O(n2 n/2 ). In practice, this can be done particularly efficiently by incrementing an integer and accessing its binary representation. Then for each binary string, we can concatenate the corresponding two-cycle of a for every set bit. If we represent elements in cycle notation, this concatenation can be done in O(1) time. Thus we can construct the set X in O(n2 n/2 ) time. To construct the set Y, note that a backtracking procedure can also enumerate every permutation of S n/2 in time O(n(n/2)!) (see [8] for the simple procedure). Applying the homomorphism ϕ can then be done in O(n) time per element, producing all of Y in overall O(n(n/2)!) time. There are 2 n/2 (n/2)! elements in the product set XY, and each can be computed by composing an element of X with an element of Y in O(n) time per element. Thus the elements of H can be enumerated in O(n H ) time. Regarding space, note that the most space used is in representing the output. We represent each h H in O(n) space, and so the space complexity is O(n H ). 7. CONSTRUCTING TRANSVERSALS We now consider finding a transversal of H in S n. Although finding transversals can be complicated and require backtrack search through the parent group G [8], we can take advantage of having G = S n. We first give the following definition:
6 Definition 7.1. Let B = [β 1,..., β k ] be a base. Define a partial ordering on elements of Ω by taking β i β i+1 for all 1 i < k, and β i α, for every α Ω not present in B. We extend this to base images by saying that for g, h G, B g B h if g precedes h in the lexicographic ordering on the base vectors. For our purposes, this is the natural ordering of the integers in B. Furthermore, this defines lexicographical ordering in the typical manner for base images B g and B h, g, h G. Our transversal construction will exploit the following lemma. Lemma 7.2. Let K < G S n and let B = [β 1,..., β k ] be a base of G. Then g G is the -least element of its coset gk if and only if β g j is the -least element of its orbit in for 1 j k. K β g 1,...,βg j 1 In this lemma, K g β denotes the subgroup of K 1,...,βg j 1 consisting of the elements that fix each of the elements listed as subscripts. (When j = 1, this subgroup is just K.) Although the result has been known since the work of Charles Sims, we present a proof in the interest of being self-contained. This lemma can be found (without proof) in [8, p. 115]. Proof. Suppose that g satisfies the property given in Lemma 7.2. We must show g is -least in gk. Write: g = [α 1, α 2,..., α k ]. Now suppose there exists some h gk such that h g. Write: h = [γ 1, γ 2,..., γ k ]. Since h gk, we can write h = gk for some k K. Therefore we can think of h as applying some element k to g. Now, since h g, there must be a first index j such that γ j α j; so γ i = α i for all 1 i < j. Then k must stabilize α 1,..., α j 1. Since γ j α j, k must map α j to γ j, therefore γ j and α j are in the same orbit in K α1,...,α j 1. But by assumption, α j is the -least such element in its orbit in K α1,...,α j 1. Therefore the element h cannot exist and so g is minimal in gk. In the other direction, suppose g does not satisfy the property in Lemma 7.2. Let j be the first index such that α j is not -least in its orbit in K α1,...,α j 1. Then there must be some k K that stabilizes α 1,..., α j 1 and maps α j to some η such that η α j. Then gk g. We can apply Lemma 7.2 to find base images that satisfy the property required to be -least elements in their respective cosets. However, these base images might not necessarily correspond to elements of G if G is an arbitrary permutation group. Here we take advantage of the fact G = S n. Every base image that satisfies Lemma 7.2 corresponds to some permutation on {1, 2,..., n}, which is necessarily an element of S n. Thus if it easy enough to find orbits after stabilizing in H, a transversal of H in S n can be calculated efficiently. Below we have a useful fact about the structure of H. Lemma 7.3. Denote by H n our subgroup H for G = S n. When n is even, we have that (H n) (β) = Hn 2. That is, H n stabilized by any β Ω is isomorphic to H n 2. When n is odd, H n = H n 1, so the result carries through for any β Ω, β n. If β = n, then (H n) (β) = H n. Proof. For odd n, the proof of Lemma 6.1 shows that H n already stabilizes the integer n. Now, assume n is even. It should be clear that H is symmetric around any β Ω, both because H is the centralizer of a = (1 2)(3 4)... (n 1 n), where each β Ω plays the same role, and also by the proof of Lemma 6.2. We therefore can assume without loss of generality that β = 1. Now, again observing the proof of Lemma 6.2, we can look at permutations σ that do not move 1 and have the property that aσ = σa. Clearly we cannot use (1 2) as a product in any such σ, and additionally permuting the first cycle will require that 1 is not stabilized in σ. It is then clear that: C Sn ((1 2)(3 4)... (n 1 n)) (1) = C Sn ((3 4)(5 6)... (n 1 n)). Again, by the symmetry in H, we have for even n and any β Ω, (H n) (β) = Hn 2. This leads to the following algorithm to compute a transversal of H in G = S n: Algorithm 2 Transversal of H in G = S n If n is even: 1. Recursively obtain a transversal for n 2. As a base case, if n = 2, let T = {[1, 2]}. 2. Increase every integer in the base images returned for n 2 by Prepend 1 to the base images. 4. Put 2 in all possible locations after 1 in each base image, increasing the number of base images by a factor of n 1, and return this set. If n is odd: 1. Obtain a transversal for n Put n in all possible locations in each base image returned for n 1, increasing the number of base images by a factor of n, and return this set. By design, the algorithm finds the transversal consisting of the -least element in each coset. We then have: Lemma 7.4. Algorithm 2 correctly computes a transversal of H in G = S n in time O(n G : H ) and space O(n G : H ). Proof. We first prove correctness. We use Lemma 7.2 to find the -least element of each coset of H in G. From the list of generators, it is clear that if n is even, all objects of Ω are in the same orbit in H, and if n is odd, the two orbits of Ω are {1, 2,..., n 1} and {n}. Focusing on the even case, the first base element of every transversal base image will be 1, since it is the -least of {1, 2,..., n}. Furthermore, when we stabilize 1, by Lemma 7.3, we are left with a smaller instance of the same problem, with one caveat; the base element 2 is in its own orbit, and so can exist in any position after 1. We then see we can compute the transversal efficiently by recursively computing a solution to the smaller problem and then inserting 2 in all possible positions after 1. As a base case we have H 2 = S 2, so the transversal is T = {[1, 2]}. For
7 the odd case, we now must simply place n in every possible location within the entire base image of every transversal element for n 1. We now prove runtime. Ignoring the recursion, in the even case the algorithm must add 2 to each integer of the base images and place 2 in all possible locations after 1. In the odd case the algorithm must do similarly but with n. Both cases must also copy the new transversal elements into the updated list T. With appropriate data structures, this can easily be accomplished in time O(n number of transversal elements). Since the number of transversal elements is G : H = G, we then have the H following recurrence for the runtime, when n is even: This implies T (n) = T (n 2) + O(n 3/4 n!). T (n) = O(n 3/4 n!) + O 2 i n 2 i even i 3/4 i! O(n 3/4 ( n!) + O n 7/4 (n 2)! = O(n 3/4 n!). When n is odd, we can first compute the transversal for n 1 in time O((n 1) 3/4 (n 1)!) = O(n 1/4 n!). We can then add n in the necessary locations and produce output in time O(n n 1/4 n!) = O(n 5/4 n!). So the runtime when n is odd is O(n 5/4 n!). Both of these runtimes are O(n G : H ). Regarding space, note that the most space used is in representing the final output. Representing each permutation takes O(n) space, so the space cost is O(n G : H ). As a further remark, we note the O(n G : H ) runtime can be improved by a factor of O(n) if instead of writing the output, it is iterated. By iterating, we mean cycling through the transversal, rather than writing each element of the transversal to a list. In this same model, we can make the space bound as little as O(n). Let us consider the even n case, and the same logic applies to the case of odd n. Assume we can cycle through the output at the level of recursion for n 2. For each output given by n 2, prepending 1 and inserting 2 in all positions after 1 can be done in O(1) time per insertion if the base images are represented as integers in a linked list. Furthermore, we must only maintain O(1) bits of information per level. Therefore, since there are O(n) levels of recursion, we do amortized constant amount of work per element of the transversal, resulting in a runtime that is improved by a factor of O(n) and a space bound that is simply O(n). This same logic applies to enumerating the elements of H, though we omit the argument for brevity. In general, the collision framework for our discrete logarithm problem will have each s S taking at least O(n) space and O(n) time to hash into a dictionary, so this observation will only bring a slight improvement in the space bound for our problem in certain cases. Finally, we note that the property exploited in computing the transversal was that every base image found directly via stabilizers and orbits is necessarily an element of the parent group G if G = S n. This observation can be combined with ) black-box orbit, stabilizer, and base changing methods as discussed in [8] to compute a transversal of an arbitrary permutation group K < S n efficiently. We will not discuss the details here, nor give exact asymptotic guarantees. For more information, consult the transversal algorithms discussed in Holt s book. 8. THE MAIN RESULT We have the following theorem: Theorem 8.1. We can compute sets A and B such that AB = S n with max( A, B ) = O(n 1/4 n!). The computation can be done deterministically in time and space O(n 5/4 n!). Proof. Let H be the subgroup of S n specified in Lemma 6.1. It has size O(n 1/4 n!) when n is even and O(n 1/4 n!) when n is odd. Using Algorithm 1, it can be enumerated deterministically in time and space O(n H ). Furthermore, by employing Algorithm 2, its transversal can be found and enumerated deterministically in time and space O(n 3/4 n!) when n is even and O(n 5/4 n!) when n is odd. This means we can find sets of permutations A and B deterministically such that every σ S n can be represented as a product ab, a A and b B in time O(n 5/4 n!). This lemma implies that the group action discrete logarithm problem in the symmetric group can be solved deterministically in roughly O(n 5/4 n!) time. The specifics depend on the ability to hash or compare elements of S generated for the collision procedure. We note that while randomization may be used in the analysis of such hashing functions, the algorithm itself will always produce correct results. In comparison, the computation of sets A and B by the randomized approach will take time O(n n!) and by bidirectional collision detection time O(n 1.5 n!). In this sense, our result shows the difference between randomized and deterministic algorithms for this problem can be made as little as O(n 1/4 ). It is unclear if this can be eliminated entirely, but O(n 1/4 ) is so small when compared to O( n!) that the improvement would be very minor. In particular, since 3 4 = 81 and 81! = , for practical values of n, n 1/4 will not exceed 3. Furthermore, in computing (an upper bound of) the expected number of permutations needed to achieve various reliability percentages, we note that our deterministic approach uses fewer permutations for reliability > 80% for n < 12, and > 90% for all other reasonable values of n. Thus due to the simplicity of Algorithm 1 and Algorithm 2, we consider our approach a viable practical alternative to the randomized one. 9. ACKNOWLEDGEMENTS We thank Derek Holt, Gene Cooperman, and László Babai for correspondence on computing transversals in permutation groups. We additionally thank the stackexchange community for their input on subgroup choices and the anonymous reviewers for their constructive feedback.
8 10. REFERENCES [1] L. Babai, W. M. Kantor, E. M. Luks. Computational complexity and the classification of finite simple groups. In Proc. 24th Ann. Symp. Found. Comp. Sci., 1983, pp [2] L. Babai. Graph isomorphism in quasipolynomial time. Manuscript, [3] J. Cai, M. Fürer, N. Immerman. An optimal lower bound on the number of variables for graph identification. Combinatorica, v. 12, 1992, pp [4] D. Dummit, R. Foote. Abstract Algebra. Wiley, [5] C. J. Etherington, M. W. Anderson, E. Bach, J. T. Butler, and P. Stănică. A parallel approach in computing correlation immunity up to six variables. Int. J. Found. Comp. Sci., to appear. [6] C. Gentry. Fully homomorphic encryption using ideal lattices. In Proc. 41st ACM Symp. on Theory of Computing. 41, 2009, pp [7] D. H. Greene and D. E. Knuth. Mathematics for the Analysis of Algorithms. Birkhäuser, [8] D. Holt. Handbook of Computational Group Theory. Chapman & Hall, [9] A. Kwan. Vernier scales and other early devices for precision measurement. American J. Physics, v. 79, 2011, pp [10] R. C. Merkle and M. E. Hellman, On the security of multiple encryption. Comm. ACM, v. 24, 1981, pp [11] K. S. McCurley, The discrete logarithm problem. Proc. Symp. Appl. Math., v. 42, 1990, pp [12] B. McKay, A. Piperno. Practical graph isomorphism, II. J. Symb. Comp., v. 60, 2014, pp [13] S. Orange, G. Renault, K. Yokoyama. Computation schemes for splitting fields of polynomials. In Proc Int. Symp. on Symbolic and Algebraic Computation, 2009, pp [14] J. M. Pollard. Monte Carlo methods for index computation (mod p). Math. Comp., v. 32, 1978, pp [15] D. Rosenbaum. Quantum Computation and Isomorphism Testing. Dissertation, U. Washington, [16] A. Seress. Permutation Group Algorithms. Cambridge Univ. Press, [17] D. Shanks. Class number, a theory of factorization and genera. Proc. Symp. Pure Math., v. 20, 1969, pp [18] E. Teske, Square-root algorithms for the discrete logarithm problem (a survey). In Public Key Cryptography and Computational Number Theory, de Gruyter, 2001, pp
Total Ordering on Subgroups and Cosets
Total Ordering on Subgroups and Cosets Alexander Hulpke Department of Mathematics Colorado State University 1874 Campus Delivery Fort Collins, CO 80523-1874 hulpke@math.colostate.edu Steve Linton Centre
More information2 Permutation Groups
2 Permutation Groups Last Time Orbit/Stabilizer algorithm: Orbit of a point. Transversal of transporter elements. Generators for stabilizer. Today: Use in a ``divide-and-conquer approach for permutation
More informationInformation Storage Capacity of Crossbar Switching Networks
Information Storage Capacity of Crossbar Switching etworks ABSTRACT In this work we ask the fundamental uestion: How many bits of information can be stored in a crossbar switching network? The answer is
More informationFINITE ABELIAN GROUPS Amin Witno
WON Series in Discrete Mathematics and Modern Algebra Volume 7 FINITE ABELIAN GROUPS Amin Witno Abstract We detail the proof of the fundamental theorem of finite abelian groups, which states that every
More informationLecture 7: More Arithmetic and Fun With Primes
IAS/PCMI Summer Session 2000 Clay Mathematics Undergraduate Program Advanced Course on Computational Complexity Lecture 7: More Arithmetic and Fun With Primes David Mix Barrington and Alexis Maciel July
More informationGroups and Symmetries
Groups and Symmetries Definition: Symmetry A symmetry of a shape is a rigid motion that takes vertices to vertices, edges to edges. Note: A rigid motion preserves angles and distances. Definition: Group
More informationElliptic Curves Spring 2013 Lecture #8 03/05/2013
18.783 Elliptic Curves Spring 2013 Lecture #8 03/05/2013 8.1 Point counting We now consider the problem of determining the number of points on an elliptic curve E over a finite field F q. The most naïve
More informationA Mathematical Analysis of The Generalized Oval Track Puzzle
Rose-Hulman Undergraduate Mathematics Journal Volume 12 Issue 1 Article 5 A Mathematical Analysis of The Generalized Oval Track Puzzle Samuel Kaufmann Carnegie Mellon University, sakaufma@andrew.cmu.edu
More informationPUBLIC KEY EXCHANGE USING MATRICES OVER GROUP RINGS
PUBLIC KEY EXCHANGE USING MATRICES OVER GROUP RINGS DELARAM KAHROBAEI, CHARALAMBOS KOUPPARIS, AND VLADIMIR SHPILRAIN Abstract. We offer a public key exchange protocol in the spirit of Diffie-Hellman, but
More informationEnumerative Combinatorics 7: Group actions
Enumerative Combinatorics 7: Group actions Peter J. Cameron Autumn 2013 How many ways can you colour the faces of a cube with three colours? Clearly the answer is 3 6 = 729. But what if we regard two colourings
More informationDiscrete Logarithm Problem
Discrete Logarithm Problem Çetin Kaya Koç koc@cs.ucsb.edu (http://cs.ucsb.edu/~koc/ecc) Elliptic Curve Cryptography lect08 discrete log 1 / 46 Exponentiation and Logarithms in a General Group In a multiplicative
More informationk-protected VERTICES IN BINARY SEARCH TREES
k-protected VERTICES IN BINARY SEARCH TREES MIKLÓS BÓNA Abstract. We show that for every k, the probability that a randomly selected vertex of a random binary search tree on n nodes is at distance k from
More information9 Knapsack Cryptography
9 Knapsack Cryptography In the past four weeks, we ve discussed public-key encryption systems that depend on various problems that we believe to be hard: prime factorization, the discrete logarithm, and
More informationLast Time. Decompose group: Subgroup and Cosets. Use for permutation groups with subgroup being point stabilizer.
Last Time Orbit / Stabilizer algorithm Decompose group: Subgroup and Cosets Use for permutation groups with subgroup being point stabilizer. Can iterate again for subgroups: Logarithmize problem. Stabilizer
More informationIdentifying Graph Automorphisms Using Determining Sets
Identifying Graph Automorphisms Using Determining Sets Debra L. Boutin Department of Mathematics Hamilton College, Clinton, NY 13323 dboutin@hamilton.edu Submitted: May 31, 2006; Accepted: Aug 22, 2006;
More informationThe decomposability of simple orthogonal arrays on 3 symbols having t + 1 rows and strength t
The decomposability of simple orthogonal arrays on 3 symbols having t + 1 rows and strength t Wiebke S. Diestelkamp Department of Mathematics University of Dayton Dayton, OH 45469-2316 USA wiebke@udayton.edu
More informationDISTINGUISHING PARTITIONS AND ASYMMETRIC UNIFORM HYPERGRAPHS
DISTINGUISHING PARTITIONS AND ASYMMETRIC UNIFORM HYPERGRAPHS M. N. ELLINGHAM AND JUSTIN Z. SCHROEDER In memory of Mike Albertson. Abstract. A distinguishing partition for an action of a group Γ on a set
More informationb + O(n d ) where a 1, b > 1, then O(n d log n) if a = b d d ) if a < b d O(n log b a ) if a > b d
CS161, Lecture 4 Median, Selection, and the Substitution Method Scribe: Albert Chen and Juliana Cook (2015), Sam Kim (2016), Gregory Valiant (2017) Date: January 23, 2017 1 Introduction Last lecture, we
More informationSymmetries and Polynomials
Symmetries and Polynomials Aaron Landesman and Apurva Nakade June 30, 2018 Introduction In this class we ll learn how to solve a cubic. We ll also sketch how to solve a quartic. We ll explore the connections
More informationTHE N-VALUE GAME OVER Z AND R
THE N-VALUE GAME OVER Z AND R YIDA GAO, MATT REDMOND, ZACH STEWARD Abstract. The n-value game is an easily described mathematical diversion with deep underpinnings in dynamical systems analysis. We examine
More informationAdditional Constructions to Solve the Generalized Russian Cards Problem using Combinatorial Designs
Additional Constructions to Solve the Generalized Russian Cards Problem using Combinatorial Designs Colleen M. Swanson Computer Science & Engineering Division University of Michigan Ann Arbor, MI 48109,
More informationIN this paper, we consider the capacity of sticky channels, a
72 IEEE TRANSACTIONS ON INFORMATION THEORY, VOL. 54, NO. 1, JANUARY 2008 Capacity Bounds for Sticky Channels Michael Mitzenmacher, Member, IEEE Abstract The capacity of sticky channels, a subclass of insertion
More informationElliptic curves: Theory and Applications. Day 4: The discrete logarithm problem.
Elliptic curves: Theory and Applications. Day 4: The discrete logarithm problem. Elisa Lorenzo García Université de Rennes 1 14-09-2017 Elisa Lorenzo García (Rennes 1) Elliptic Curves 4 14-09-2017 1 /
More informationNotes on cycle generating functions
Notes on cycle generating functions. The cycle generating function of a species A combinatorial species is a rule attaching to each finite set X a set of structures on X, in such a way that the allowed
More informationEXERCISES ON THE OUTER AUTOMORPHISMS OF S 6
EXERCISES ON THE OUTER AUTOMORPHISMS OF S 6 AARON LANDESMAN 1. INTRODUCTION In this class, we investigate the outer automorphism of S 6. Let s recall some definitions, so that we can state what an outer
More informationRandomized Algorithms
Randomized Algorithms Prof. Tapio Elomaa tapio.elomaa@tut.fi Course Basics A new 4 credit unit course Part of Theoretical Computer Science courses at the Department of Mathematics There will be 4 hours
More informationDefinitions. Notations. Injective, Surjective and Bijective. Divides. Cartesian Product. Relations. Equivalence Relations
Page 1 Definitions Tuesday, May 8, 2018 12:23 AM Notations " " means "equals, by definition" the set of all real numbers the set of integers Denote a function from a set to a set by Denote the image of
More informationON SENSITIVITY OF k-uniform HYPERGRAPH PROPERTIES
ON SENSITIVITY OF k-uniform HYPERGRAPH PROPERTIES JOSHUA BIDERMAN, KEVIN CUDDY, ANG LI, MIN JAE SONG Abstract. In this paper we present a graph property with sensitivity Θ( n), where n = ( v 2) is the
More informationBasic Algorithms in Number Theory
Basic Algorithms in Number Theory Algorithmic Complexity... 1 Basic Algorithms in Number Theory Francesco Pappalardi Discrete Logs, Modular Square Roots & Euclidean Algorithm. July 20 th 2010 Basic Algorithms
More informationThe cycle polynomial of a permutation group
The cycle polynomial of a permutation group Peter J. Cameron School of Mathematics and Statistics University of St Andrews North Haugh St Andrews, Fife, U.K. pjc0@st-andrews.ac.uk Jason Semeraro Department
More informationarxiv: v2 [cs.ds] 3 Oct 2017
Orthogonal Vectors Indexing Isaac Goldstein 1, Moshe Lewenstein 1, and Ely Porat 1 1 Bar-Ilan University, Ramat Gan, Israel {goldshi,moshe,porately}@cs.biu.ac.il arxiv:1710.00586v2 [cs.ds] 3 Oct 2017 Abstract
More informationSome results on the existence of t-all-or-nothing transforms over arbitrary alphabets
Some results on the existence of t-all-or-nothing transforms over arbitrary alphabets Navid Nasr Esfahani, Ian Goldberg and Douglas R. Stinson David R. Cheriton School of Computer Science University of
More informationTHE REPRESENTATION THEORY, GEOMETRY, AND COMBINATORICS OF BRANCHED COVERS
THE REPRESENTATION THEORY, GEOMETRY, AND COMBINATORICS OF BRANCHED COVERS BRIAN OSSERMAN Abstract. The study of branched covers of the Riemann sphere has connections to many fields. We recall the classical
More informationCSE525: Randomized Algorithms and Probabilistic Analysis April 2, Lecture 1
CSE525: Randomized Algorithms and Probabilistic Analysis April 2, 2013 Lecture 1 Lecturer: Anna Karlin Scribe: Sonya Alexandrova and Eric Lei 1 Introduction The main theme of this class is randomized algorithms.
More informationEquivalence Relations and Partitions, Normal Subgroups, Quotient Groups, and Homomorphisms
Equivalence Relations and Partitions, Normal Subgroups, Quotient Groups, and Homomorphisms Math 356 Abstract We sum up the main features of our last three class sessions, which list of topics are given
More informationPermutation Group Algorithms, Part 2
Permutation Group Algorithms, Part 2 Jason B. Hill University of Colorado October 5, 2010 Two recent opening sentences for presentations on polynomial-time permutation group algorithms have each had five
More informationA NOTE ON TENSOR CATEGORIES OF LIE TYPE E 9
A NOTE ON TENSOR CATEGORIES OF LIE TYPE E 9 ERIC C. ROWELL Abstract. We consider the problem of decomposing tensor powers of the fundamental level 1 highest weight representation V of the affine Kac-Moody
More informationWHY WORD PROBLEMS ARE HARD
WHY WORD PROBLEMS ARE HARD KEITH CONRAD 1. Introduction The title above is a joke. Many students in school hate word problems. We will discuss here a specific math question that happens to be named the
More informationq xk y n k. , provided k < n. (This does not hold for k n.) Give a combinatorial proof of this recurrence by means of a bijective transformation.
Math 880 Alternative Challenge Problems Fall 2016 A1. Given, n 1, show that: m1 m 2 m = ( ) n+ 1 2 1, where the sum ranges over all positive integer solutions (m 1,..., m ) of m 1 + + m = n. Give both
More informationAutomorphism groups of wreath product digraphs
Automorphism groups of wreath product digraphs Edward Dobson Department of Mathematics and Statistics Mississippi State University PO Drawer MA Mississippi State, MS 39762 USA dobson@math.msstate.edu Joy
More informationP, NP, NP-Complete, and NPhard
P, NP, NP-Complete, and NPhard Problems Zhenjiang Li 21/09/2011 Outline Algorithm time complicity P and NP problems NP-Complete and NP-Hard problems Algorithm time complicity Outline What is this course
More informationPrimality Testing. 1 Introduction. 2 Brief Chronology of Primality Testing. CS265/CME309, Fall Instructor: Gregory Valiant
CS265/CME309, Fall 2018. Instructor: Gregory Valiant Primality Testing [These notes may not be distributed outside this class without the permission of Gregory Valiant.] 1 Introduction Prime numbers are
More informationNOTES ON FINITE FIELDS
NOTES ON FINITE FIELDS AARON LANDESMAN CONTENTS 1. Introduction to finite fields 2 2. Definition and constructions of fields 3 2.1. The definition of a field 3 2.2. Constructing field extensions by adjoining
More informationUltraproducts of Finite Groups
Ultraproducts of Finite Groups Ben Reid May 11, 010 1 Background 1.1 Ultrafilters Let S be any set, and let P (S) denote the power set of S. We then call ψ P (S) a filter over S if the following conditions
More informationHW2 Solutions Problem 1: 2.22 Find the sign and inverse of the permutation shown in the book (and below).
Teddy Einstein Math 430 HW Solutions Problem 1:. Find the sign and inverse of the permutation shown in the book (and below). Proof. Its disjoint cycle decomposition is: (19)(8)(37)(46) which immediately
More informationMaximal non-commuting subsets of groups
Maximal non-commuting subsets of groups Umut Işık March 29, 2005 Abstract Given a finite group G, we consider the problem of finding the maximal size nc(g) of subsets of G that have the property that no
More informationLecture 12. Block Diagram
Lecture 12 Goals Be able to encode using a linear block code Be able to decode a linear block code received over a binary symmetric channel or an additive white Gaussian channel XII-1 Block Diagram Data
More informationCHAPTER 3: THE INTEGERS Z
CHAPTER 3: THE INTEGERS Z MATH 378, CSUSM. SPRING 2009. AITKEN 1. Introduction The natural numbers are designed for measuring the size of finite sets, but what if you want to compare the sizes of two sets?
More informationCreating Groups Caveat:
Method Selection GAP tries to select the best method (of several) for a particular operation (say NormalSubgroups) based on: What kind of object (Category group of permutations) How is it stored (Representation
More informationSolution Set for Homework #1
CS 683 Spring 07 Learning, Games, and Electronic Markets Solution Set for Homework #1 1. Suppose x and y are real numbers and x > y. Prove that e x > ex e y x y > e y. Solution: Let f(s = e s. By the mean
More informationPhysics 251 Solution Set 1 Spring 2017
Physics 5 Solution Set Spring 07. Consider the set R consisting of pairs of real numbers. For (x,y) R, define scalar multiplication by: c(x,y) (cx,cy) for any real number c, and define vector addition
More informationRecommended Reading. A Brief History of Infinity The Mystery of the Aleph Everything and More
Direct Proofs Recommended Reading A Brief History of Infinity The Mystery of the Aleph Everything and More Recommended Courses Math 161: Set Theory What is a Proof? Induction and Deduction In the sciences,
More informationLemma 1.2. (1) If p is prime, then ϕ(p) = p 1. (2) If p q are two primes, then ϕ(pq) = (p 1)(q 1).
1 Background 1.1 The group of units MAT 3343, APPLIED ALGEBRA, FALL 2003 Handout 3: The RSA Cryptosystem Peter Selinger Let (R, +, ) be a ring. Then R forms an abelian group under addition. R does not
More informationREU 2007 Discrete Math Lecture 2
REU 2007 Discrete Math Lecture 2 Instructor: László Babai Scribe: Shawn Drenning June 19, 2007. Proofread by instructor. Last updated June 20, 1 a.m. Exercise 2.0.1. Let G be an abelian group and A G be
More informationAN INTRODUCTION TO THE UNDERLYING COMPUTATIONAL PROBLEM OF THE ELGAMAL CRYPTOSYSTEM
AN INTRODUCTION TO THE UNDERLYING COMPUTATIONAL PROBLEM OF THE ELGAMAL CRYPTOSYSTEM VORA,VRUSHANK APPRENTICE PROGRAM Abstract. This paper will analyze the strengths and weaknesses of the underlying computational
More informationECEN 5022 Cryptography
Elementary Algebra and Number Theory University of Colorado Spring 2008 Divisibility, Primes Definition. N denotes the set {1, 2, 3,...} of natural numbers and Z denotes the set of integers {..., 2, 1,
More informationSolving an arbitrary permutation puzzle
T.C. Brouwer Solving an arbitrary permutation puzzle Bachelor thesis, June 18, 2016 Supervisor: Dr. R.M. van Luijk Mathematisch Instituut, Universiteit Leiden Contents 1 Introduction 2 Mathematical formulation
More informationLecture 22: Counting
CS 710: Complexity Theory 4/8/2010 Lecture 22: Counting Instructor: Dieter van Melkebeek Scribe: Phil Rydzewski & Chi Man Liu Last time we introduced extractors and discussed two methods to construct them.
More informationDiscrete Mathematics. Benny George K. September 22, 2011
Discrete Mathematics Benny George K Department of Computer Science and Engineering Indian Institute of Technology Guwahati ben@iitg.ernet.in September 22, 2011 Set Theory Elementary Concepts Let A and
More informationModule 1: Analyzing the Efficiency of Algorithms
Module 1: Analyzing the Efficiency of Algorithms Dr. Natarajan Meghanathan Professor of Computer Science Jackson State University Jackson, MS 39217 E-mail: natarajan.meghanathan@jsums.edu What is an Algorithm?
More informationYOUNG TABLEAUX AND THE REPRESENTATIONS OF THE SYMMETRIC GROUP
YOUNG TABLEAUX AND THE REPRESENTATIONS OF THE SYMMETRIC GROUP YUFEI ZHAO ABSTRACT We explore an intimate connection between Young tableaux and representations of the symmetric group We describe the construction
More informationDecompositions of graphs into cycles with chords
Decompositions of graphs into cycles with chords Paul Balister Hao Li Richard Schelp May 22, 2017 In memory of Dick Schelp, who passed away shortly after the submission of this paper Abstract We show that
More informationPATH BUNDLES ON n-cubes
PATH BUNDLES ON n-cubes MATTHEW ELDER Abstract. A path bundle is a set of 2 a paths in an n-cube, denoted Q n, such that every path has the same length, the paths partition the vertices of Q n, the endpoints
More informationQuivers of Period 2. Mariya Sardarli Max Wimberley Heyi Zhu. November 26, 2014
Quivers of Period 2 Mariya Sardarli Max Wimberley Heyi Zhu ovember 26, 2014 Abstract A quiver with vertices labeled from 1,..., n is said to have period 2 if the quiver obtained by mutating at 1 and then
More informationAlgorithms for pattern involvement in permutations
Algorithms for pattern involvement in permutations M. H. Albert Department of Computer Science R. E. L. Aldred Department of Mathematics and Statistics M. D. Atkinson Department of Computer Science D.
More informationACO Comprehensive Exam October 14 and 15, 2013
1. Computability, Complexity and Algorithms (a) Let G be the complete graph on n vertices, and let c : V (G) V (G) [0, ) be a symmetric cost function. Consider the following closest point heuristic for
More informationCPSC 467b: Cryptography and Computer Security
CPSC 467b: Cryptography and Computer Security Michael J. Fischer Lecture 10 February 19, 2013 CPSC 467b, Lecture 10 1/45 Primality Tests Strong primality tests Weak tests of compositeness Reformulation
More informationarxiv: v2 [math.gr] 4 Nov 2015
arxiv:1511.01019v2 [math.gr] 4 Nov 2015 A Paradoxical Decomposition of the Real Line Shelley Kandola and Sam Vandervelde Abstract. In this paper we demonstrate how to partition the real number line into
More informationInteger Least Squares: Sphere Decoding and the LLL Algorithm
Integer Least Squares: Sphere Decoding and the LLL Algorithm Sanzheng Qiao Department of Computing and Software McMaster University 28 Main St. West Hamilton Ontario L8S 4L7 Canada. ABSTRACT This paper
More informationA Generic Algorithm for Small Weight Discrete Logarithms in Composite Groups
A Generic Algorithm for Small Weight Discrete Logarithms in Composite Groups Alexander May and Ilya Ozerov Horst Görtz Institute for IT-Security Ruhr-University Bochum, Germany Faculty of Mathematics alex.may@rub.de,
More information1 Maintaining a Dictionary
15-451/651: Design & Analysis of Algorithms February 1, 2016 Lecture #7: Hashing last changed: January 29, 2016 Hashing is a great practical tool, with an interesting and subtle theory too. In addition
More informationGEOMETRIC CONSTRUCTIONS AND ALGEBRAIC FIELD EXTENSIONS
GEOMETRIC CONSTRUCTIONS AND ALGEBRAIC FIELD EXTENSIONS JENNY WANG Abstract. In this paper, we study field extensions obtained by polynomial rings and maximal ideals in order to determine whether solutions
More informationDefinitions, Theorems and Exercises. Abstract Algebra Math 332. Ethan D. Bloch
Definitions, Theorems and Exercises Abstract Algebra Math 332 Ethan D. Bloch December 26, 2013 ii Contents 1 Binary Operations 3 1.1 Binary Operations............................... 4 1.2 Isomorphic Binary
More informationDiscrete Math, Fourteenth Problem Set (July 18)
Discrete Math, Fourteenth Problem Set (July 18) REU 2003 Instructor: László Babai Scribe: Ivona Bezakova 0.1 Repeated Squaring For the primality test we need to compute a X 1 (mod X). There are two problems
More informationSolving Quadratic Equations Using Multiple Methods and Solving Systems of Linear and Quadratic Equations
Algebra 1, Quarter 4, Unit 4.1 Solving Quadratic Equations Using Multiple Methods and Solving Systems of Linear and Quadratic Equations Overview Number of instructional days: 13 (1 day = 45 minutes) Content
More informationCDM Combinatorial Principles
CDM Combinatorial Principles 1 Counting Klaus Sutner Carnegie Mellon University Pigeon Hole 22-in-exclusion 2017/12/15 23:16 Inclusion/Exclusion Counting 3 Aside: Ranking and Unranking 4 Counting is arguably
More informationRandom Permutations using Switching Networks
Random Permutations using Switching Networks Artur Czumaj Department of Computer Science Centre for Discrete Mathematics and its Applications (DIMAP) University of Warwick A.Czumaj@warwick.ac.uk ABSTRACT
More informationAlgebras with finite descriptions
Algebras with finite descriptions André Nies The University of Auckland July 19, 2005 Part 1: FA-presentability A countable structure in a finite signature is finite-automaton presentable (or automatic)
More informationNew Minimal Weight Representations for Left-to-Right Window Methods
New Minimal Weight Representations for Left-to-Right Window Methods James A. Muir 1 and Douglas R. Stinson 2 1 Department of Combinatorics and Optimization 2 School of Computer Science University of Waterloo
More informationGenerating p-extremal graphs
Generating p-extremal graphs Derrick Stolee Department of Mathematics Department of Computer Science University of Nebraska Lincoln s-dstolee1@math.unl.edu August 2, 2011 Abstract Let f(n, p be the maximum
More informationb = 10 a, is the logarithm of b to the base 10. Changing the base to e we obtain natural logarithms, so a = ln b means that b = e a.
INTRODUCTION TO CRYPTOGRAPHY 5. Discrete Logarithms Recall the classical logarithm for real numbers: If we write b = 10 a, then a = log 10 b is the logarithm of b to the base 10. Changing the base to e
More informationCryptography and Security Final Exam
Cryptography and Security Final Exam Solution Serge Vaudenay 29.1.2018 duration: 3h no documents allowed, except one 2-sided sheet of handwritten notes a pocket calculator is allowed communication devices
More informationGENERATING SETS KEITH CONRAD
GENERATING SETS KEITH CONRAD 1 Introduction In R n, every vector can be written as a unique linear combination of the standard basis e 1,, e n A notion weaker than a basis is a spanning set: a set of vectors
More informationHow long does it take to catch a wild kangaroo?
How long does it take to catch a wild kangaroo? Ravi Montenegro Prasad etali December 3, 008 arxiv:0810789v1 [mathpr] 3 Dec 008 Abstract he discrete logarithm problem asks to solve for the exponent x,
More information1 Number Theory Basics
ECS 289M (Franklin), Winter 2010, Crypto Review 1 Number Theory Basics This section has some basic facts about number theory, mostly taken (or adapted) from Dan Boneh s number theory fact sheets for his
More informationOn Orders of Elliptic Curves over Finite Fields
Rose-Hulman Undergraduate Mathematics Journal Volume 19 Issue 1 Article 2 On Orders of Elliptic Curves over Finite Fields Yujin H. Kim Columbia University, yujin.kim@columbia.edu Jackson Bahr Eric Neyman
More informationPseudo Sylow numbers
Pseudo Sylow numbers Benjamin Sambale May 16, 2018 Abstract One part of Sylow s famous theorem in group theory states that the number of Sylow p- subgroups of a finite group is always congruent to 1 modulo
More informationSOBER Cryptanalysis. Daniel Bleichenbacher and Sarvar Patel Bell Laboratories Lucent Technologies
SOBER Cryptanalysis Daniel Bleichenbacher and Sarvar Patel {bleichen,sarvar}@lucent.com Bell Laboratories Lucent Technologies Abstract. SOBER is a new stream cipher that has recently been developed by
More informationCSCE 750 Final Exam Answer Key Wednesday December 7, 2005
CSCE 750 Final Exam Answer Key Wednesday December 7, 2005 Do all problems. Put your answers on blank paper or in a test booklet. There are 00 points total in the exam. You have 80 minutes. Please note
More informationElliptic Curves Spring 2015 Problem Set #10 Due: 4/24/2015
18.783 Elliptic Curves Spring 2015 Problem Set #10 Due: 4/24/2015 Description These problems are related to the material covered in Lectures 18-19. As usual, the first person to spot each non-trivial typo/error
More information1. Group Theory Permutations.
1.1. Permutations. 1. Group Theory Problem 1.1. Let G be a subgroup of S n of index 2. Show that G = A n. Problem 1.2. Find two elements of S 7 that have the same order but are not conjugate. Let π S 7
More informationLecture 1 : Probabilistic Method
IITM-CS6845: Theory Jan 04, 01 Lecturer: N.S.Narayanaswamy Lecture 1 : Probabilistic Method Scribe: R.Krithika The probabilistic method is a technique to deal with combinatorial problems by introducing
More informationDecomposing Bent Functions
2004 IEEE TRANSACTIONS ON INFORMATION THEORY, VOL. 49, NO. 8, AUGUST 2003 Decomposing Bent Functions Anne Canteaut and Pascale Charpin Abstract In a recent paper [1], it is shown that the restrictions
More informationON MULTI-AVOIDANCE OF RIGHT ANGLED NUMBERED POLYOMINO PATTERNS
INTEGERS: ELECTRONIC JOURNAL OF COMBINATORIAL NUMBER THEORY 4 (2004), #A21 ON MULTI-AVOIDANCE OF RIGHT ANGLED NUMBERED POLYOMINO PATTERNS Sergey Kitaev Department of Mathematics, University of Kentucky,
More information0 Sets and Induction. Sets
0 Sets and Induction Sets A set is an unordered collection of objects, called elements or members of the set. A set is said to contain its elements. We write a A to denote that a is an element of the set
More information1 Terminology and setup
15-451/651: Design & Analysis of Algorithms August 31, 2017 Lecture #2 last changed: August 29, 2017 In this lecture, we will examine some simple, concrete models of computation, each with a precise definition
More informationCS 468: Computational Topology Group Theory Fall b c b a b a c b a c b c c b a
Q: What s purple and commutes? A: An abelian grape! Anonymous Group Theory Last lecture, we learned about a combinatorial method for characterizing spaces: using simplicial complexes as triangulations
More informationENTRY GROUP THEORY. [ENTRY GROUP THEORY] Authors: started Mark Lezama: October 2003 Literature: Algebra by Michael Artin, Mathworld.
ENTRY GROUP THEORY [ENTRY GROUP THEORY] Authors: started Mark Lezama: October 2003 Literature: Algebra by Michael Artin, Mathworld Group theory [Group theory] is studies algebraic objects called groups.
More informationComputers and Mathematics with Applications
Computers and Mathematics with Applications 61 (2011) 1261 1265 Contents lists available at ScienceDirect Computers and Mathematics with Applications journal homepage: wwwelseviercom/locate/camwa Cryptanalysis
More informationCPSC 467b: Cryptography and Computer Security
CPSC 467b: Cryptography and Computer Security Michael J. Fischer Lecture 9 February 6, 2012 CPSC 467b, Lecture 9 1/53 Euler s Theorem Generating RSA Modulus Finding primes by guess and check Density of
More information